GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Diversification versus specialization: Which is better?


Industry Update

NetBank bubble bursts over mortgage loans

Feds propose rules on Internet gambling

Merchants give Congress their take on interchange

Kinks at the QSR drive-thru

Is the PCI DSS pie in the sky? The NRF's Hogan wants to know

Ontario nixes 'use it or lose it' gift cards


The skinny on trade associations

U.K. banks push contactless tech, despite consumer demand for cash

Ron Delnevo
Bank Machine Ltd.


The assault on interchange widens

Patti Murphy
The Takoma Group

Coping with the credit crunch

Biff Matthews
CardWare International

Clich├ęs, monsters and a dog named Spot


Street SmartsSM:
Next stop: Tradeshows

Dee Karawadra
Impact PaySystem

Using e-mail effectively: Managing lists

Nancy Drexler
Marketing Moguls

Don't let security slide

Steve Schwimmer
Renaissance Merchant Services

PCI DSS implementation: A concise review

Robert Heinrich
Alpha Card Services Inc.

Dam spam with secure e-mail

Michael Petitti

The next ISO widow could be yours

Adam Atlas
Attorney at Law

Company Profile

Comstar Interactive

New Products

PIN protection for online purchases

PIN Debit Service
ATM Direct

A payment plug-in quick as a hare

Skipjack Payment Plug-in
Skipjack Financial Services, Inc.


Optimism is an inside job





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

October 22, 2007  •  Issue 07:10:02

previous next

Is the PCI DSS pie in the sky? The NRF's Hogan wants to know

In a letter to the Payment Card Industry (PCI) Security Standards Council delivered Oct. 4, 2007, the National Retail Federation cited continued data security breaches despite the implementation of the PCI Data Security Standard (DSS) and the burden PCI compliance puts on merchants.

NRF Chief Information Officer David Hogan addressed the letter to Bob Russo, the PCI council's General Manager. He claimed that the PCI DSS has largely failed in its ultimate goal: to protect sensitive customer information from theft and fraudulent use. He argued that merchants should be required to store minimal customer data, if any.

Hogan wrote that it is "unlikely PCI will ever be able to keep pace with the continually evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks. We believe the time has come to rethink the assumptions behind PCI."

According to Hogan, if the PCI DSS does not work, "the ultimate solution is to stop requiring merchants to store card data in the first place."

Hogan told The Green Sheet, "[Not storing the data] is a commonsense approach to reduce the risk of credit card fraud."

His idea was merchants should only have to store the authorization code provided at the time of sale and a truncated receipt. Therefore, the merchant would have a record of the transaction, showing approval by the credit card company. The sales receipt would be adequate as proof of purchase and in case of returns.

"Neither [the authorization code or the receipt] would contain the full account number. and would therefore be of no value to a potential thief," Hogan said.

But Adil Moussa, an Analyst for the Aite Group LLC, took issue with Hogan's plan. "Very logical, but really not the way to go," Moussa said. "The authorization code is not long enough. It's only six digits long and there is the possibility of duplication [of the numbers]."

Moussa preferred another approach that would use a "unique transaction code to identify the transaction and keep that record for ulterior processing of chargebacks if they happen."

But Scott Krugman, Vice President of Industry Public Relations at the NRF, disagreed with Moussa. He believes the authorization code and the receipt solution offered by Hogan would have enough accurate information in case of a chargeback.

"It's very, very, very simple," Krugman said. "The merchant should have [the customer's credit card number] only long enough to complete the transaction."

Moussa understood the NRF's concerns. "Mr. Hogan is saying, let's keep it simple," he said. "Why don't you, the card companies and the PCI council, simplify it so we, the merchants, don't have to jump through so many hoops?"

"All parties are interested in the same thing: To protect customers' information," Krugman said.

When it comes to merchants storing customer data, however, Hogan said the PCI council and the card Associations are "talking from both sides of their mouth."

Requirement 3 of the PCI DSS guidelines states:

But, Hogan wrote, "Credit card company rules require merchants to store the credit card data that criminals are so eager to steal."

Hogan wondered if the card companies created the PCI DSS "to make money" from fines levied on merchants who do not achieve PCI compliance.

If the card Associations would agree in principal with his idea, Hogan believes it will be "good for the consumer. ... But if they [the card Associations] don't want to significantly reduce data breaches and ultimately credit card fraud, then they're not that serious about helping the consumer."

At press time, The Green Sheet had been unable to reach Mr. Russo for comment.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Board Studios